Mapping Roles to Restricted Areas

J2SE access control is based on roles. To restrict access to specific
HTML pages, servlets, JSPs, and so forth, you must define the following:

The restricted areas, as listed in the Web module descriptors
(web.xml)

The roles which are granted access to each restricted area
(in web.xml)

User and group mappings to roles, that determine which specific
users are authorized to access which restricted areas (in sun-web.xml).

Users can assume multiple roles. Access is allowed to the corresponding
areas on verification that users have been assigned at least one of the roles.

Use the samples located in the webapps/security directory
with various access restrictions in Sun Java System Web Server 6.1 as templates.
For additional discussion on Servlet role-based security, refer to the Servlet
2.3 specification.